An enormous number of patches spewed out of Microsoft this month, with two ponderous cumulative updates for each version of Windows 10, a third “bonus” bug fix for Win10 Fall Creators Update (version 1709), and a just-described bug in Windows 7 that’ll leave you begging for a Win7 patch that works.

There’s also a bit of comic relief with a patch for Win10 1709, KB 4094276, that “makes improvements to ease the upgrade experience to Windows 10 Version 1709.” That’s a wonderful example of a self-referential fix.

Multiple patches for all versions of Win10

If you’re running Win10, you saw multiple big patches in March:

Version 1709 – the Fall Creators Update — saw an emergency fix, KB 4090913, on March 5, which fixed a bug introduced in the February round of patches (and rendered some machines unbootable); a “regular” Patch Tuesday patch, KB 4088776 on March 13; and a big out-of-out-of-band patch KB 4089848 on Thursday, March 22. The biggest complaints involve the usual chorus of patches that refuse to install, and driver problems. Reports of INACCESSIBLE_BOOT_DEVICE bluescreens are tapering off.

Version 1703 – the Creators Update — also got a bug fix, KB 4092077, on March 8, which fixed an earlier patch that crashed the user interface. 1703 also saw two big cumulative updates, KB 4088782 on Patch Tuesday and KB 4088891 on the really-out-of-band patch date: March 22.

Version 1607 and Server 2016 – the Anniversary Update — also got two big cumulative updates, KB 4088787 on Patch Tuesday and a big booster KB 4088889 on the way-out-of-band Thursday. Just a reminder that, unless you’re using 1607 Enterprise or Education, your version runs out of support (as it were) on April 10.

March also presented us with the third, uh, opportunity to get forcibly pushed from Win10 1703 to 1709 – even on systems specifically set to block the upgrade.

At various points in March, users also saw updates to the Servicing Stacks for all three Win10 versions. Apparently, they resolved the race condition-related bugs that left USB drivers, in particular, dead in the water. If you’re installing the Win10 cumulative updates manually, make sure you install the respective Servicing Stack Update before you install the cumulative update.

A little bit of Word poison

Microsoft released a buggy Office 2016 security patch, KB 4011730, which left Word 2016 in such a bad state that it couldn’t save – or sometimes even open – files. We discovered later that if you install the March non-security patch for Office 2016, KB 4018295, Word 2016 suddenly got its mojo back.

Microsoft is researching this problem and will post more information in this article when the information becomes available.

Of course.

Windows 7: To patch or not to patch

All of which serves as prelude to the massive cluster-cluck that engulfed Windows 7 in March.

Win7 and Server 2018 R2 received a relatively modest Monthly Rollup, KB 4088875, and the obligatory Security-only, manually installed patch, KB 4088878, on Patch Tuesday, March 13. Almost immediately, we started seeing reports of networking problems with the patches, and some bluescreens. Shortly afterward, two specific problems with broken manual IP addresses and disabled Network Interface Cards (vNICs) bubbled up.

At first, Microsoft didn’t acknowledge the bugs; instead it stopped the Monthly Rollup from installing automatically (for those of you naïve enough to have Automatic Update enabled). As days passed, Microsoft finally published a detailed list of “known issues in this update.”

At this point, some users report that KB 4088875 appears in Windows Update as an “important” update that isn’t checked, and which doesn’t install by default. But there’s more. Others say it’s off the Windows Update list, but apparently it’s still being pushed out via WSUS servers.

Microsoft released, then re-released, an ad-hoc VBScript program that was supposed to fix the problem. But the script has raised all sorts of questions. Poster MrBrian reports that the script was changed on March 27, with no notification. Poster abbodi86 has an improved version posted on Pastebin.

But there’s more to the story.

Yesterday, security researcher UlfFrisk posted a report about a new big security hole in Windows 7. Bucking the recent trend, UlfFrisk avoided a massive publicity campaign, replete with pre-defined exploit names and cute logos, but his “Total Meltdown” exploit almost defies imagination. As Günter Born says:

Microsoft’s Meltdown updates shipped in January 2018 and February for Windows 7 (and Server 2008 R2) intended to mitigate the Meltdown vulnerability rip open a huge security hole. This allows any process under Windows 7 to read and write to any memory area without exploits…

Unfortunately, an accident happened in the January 2018 [Win7] patch (and also in February 2018 patch) when… if a (user) process has read/write access to the page tables, it is [trivial] to access the entire physical memory.

This isn’t “Sky is Falling” time. But it means that if you’re running Win7 64-bit or 2008R2 64-bit on an Intel machine, and you installed either the January or February Win7 Monthly Rollups or Security-only patches, Microsoft flipped the wrong bit, and you now have a big hole in your machine that will let any running program look at and change everything in memory. Note that you have to be running a destructive program in the first place – Total Meltdown doesn’t make it easier to run bad programs – but the security hole appears to be massive, by any estimation.

The problem is solved by the March Win7 patches, but…, well, you can see what a mess those have become.